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DETAILED ACTION 

Examiner's Statement of Reasons for Allowance 

1. Claims 1, 3, 4, 6-8 and 10-24 are allowed over prior art. 

2. This action is in reply to applicant's correspondence of 21 May 2007. 

3. The following is an examiner's statement of reasons for the indication of allowable 
claimed subject matter. 

4. As per claims 1, 22 and 24 generally, prior art of record, Baratloo, A., et al, Transparent 
Run-Time Defense Against Stack Smashing Attacks', 2000 Proceedings of the USENIX Annual 
Technical Conference, entire document, 

http://citeseer.ist.psu.edU/cache/papers/cs/24655/http:zSzzSzwww.research.avayalabs.comzSzpro 
jectzSzlibsafezSzdoczSzusenixOO.pdf/baratlooOOtransparent.pdf ('Baratloo'), fails to teach alone, 
or in combination, at the time of the invention, the features as discussed and remarked upon in 
the response of 21 May 2007 to office action of 09 March 2007. 

Specifically, (as per claim 1, for example) prior art dealing with the ability to trace code 
for debugging, vulnerability hunting and malware analysis, insofar as utilizing trace buffer 
results relating to 'single stepping 5 through all instructions generally, and setting up for branch 
(i.e., return instruction execution capture) tracing more particularly (i.e., using Intel MSR 
registers to setup for tracing blocks of code delineated by branch/path alteration instructions; 

pedram /Branch Tracing with Intel MSR Registers', www.openrce.org/blog, 12/13/2006, entire blog, 
https://www.openrce.org/blog/view/535/Branch_Tracing_withJntel_MSR_Registers), is generally known per se. 

Nowhere in the prior art is found collectively the italicized claim elements (i.e., the various 

aspects of stalling a critical OS function call prior to determination of a return instruction 
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execution relative to the function call within a previous top of stack, insofar as a value associated 
with the return address, and subsequent computer protective actions taken upon such 
determination), at the time of the invention, serving to patently distinguish the invention from 
said prior art; 

"A method comprising: 
stalling a call to 

a critical operating system (OS) function; and 
determining whether said call is from 
a return instruction comprising: 
looking up a value at 

a previous top of stack; and 
determining whether said value is 
equivalent to an address of 

said critical OS function, 
wherein upon a determination that 
said call is from 

execution of said return instruction during said determining, 
said method further comprising 

taking protective action to protect a computer system". 



5. 



Dependent claims 3, 4, 6-8, 10-21 and 23 are allowable by virtue of their dependencies. 
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Conclusion 

6. Any inquiry concerning this communication or earlier communications from examiner 
should be directed to Ronald Baum, whose telephone number is (571) 272-3861, and whose 
unofficial Fax number is (571) 273-3861 and unofficial email is Ronald.baum@uspto.gov. The 
examiner can normally be reached Monday through Thursday from 8:00 AM to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at (571) 272-4195. The Fax number for the 
organization where this application is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. For more information for 
unpublished applications is available through Private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov . Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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SUPERVISORY PATENT EXAMINER 
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Ronald Baum 



Patent Examiner. 




